Uber’s Former Security Chief Charged for Using $100K Bitcoin Hush Payment to Hide Data Breach

Shine Li   Aug 21, 2020 04:00

Former Chief Security Officer at Uber, Joseph Sullivan, has been charged with allegedly paying $100K in Bitcoin to hackers to cover up a company data breach.

Uber suffers a large-scale data breach 

The data breach that happened in 2016 and that targeted Uber resulted in a huge loss of data. The hackers seized information from millions of Uber users and drivers. Furthermore, in order to extort Bitcoin payments, hackers messaged Sullivan privately, demanding a ransom in exchange for silence. 


The hackers told Sullivan that they had successfully hacked an Uber database that contained personal identifying information of approximately 75 million Uber users and drivers. In the official complaint filed to the United States Department of Justice (DOJ), Sullivan was charged with purposely covering up the data breach and misleading the Federal Trade Commission (FTC). 


To cover up the massive data breach suffered by Uber, Sullivan transferred $100,000 in Bitcoin (BTC) as a hush payment to the hackers. The act was accomplished through a bug bounty program, that consisted of a regulated network typically used to pay hired hackers whose objective was to find company network bugs and fix the company’s security issues. 

Speaking up on the subject matter, US Attorney Anderson stated: 


“Silicon Valley is not the Wild West. We expect good corporate citizenship. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.” 

Sullivan commits more than one offense 


In the complaint filed to the DOJ, it depicted how Sullivan played an active role in covering up holes pertaining to Uber’s cybersecurity. He had dealt with the FTC’s inquiries directly. Uber had initially been hacked in 2014. When the FTC demanded responses to aid its investigation, Sullivan was designated as Uber’s responder and swore to provide truthful testimony regarding the cybersecurity breach.  



Shortly after testifying in front of the FTC, Sullivan received an email in November 2016 that notified him that Uber had once again been breached. Uber confirmed the breach with him. However, this time, rather than reporting the 2016 breach directly to US investigators, Sullivan opted for a hush payment of $100,000 in BTCfunneling the funds to the hackers through the bug bounty program in exchange for their silence 


In addition to paying off the hackers, Sullivan made them sign non-disclosure agreements. In the enclosed document, it falsely detailed that the hackers did not steal any data from Uber.  


Later, upon further investigation, the identities of two of the hackers were revealed.  


The FBI and US Attorney Anderson have announced that the former Chief Security Officer for Uber is now charged in federal court for obstruction of justice and misprision of a felony pertaining to the 2016 hack of Uber. 


As for the two hackers whose identities were uncovered, they are currently awaiting sentencing, and have pled guilty to charges of computer fraud conspiracy. 


Cybercrime on the rise, schools targeted 


As business is increasingly being conducted online and companies have sought out solutions to enhance their online presence, cybercrime has been on the rise.  


Recently, the University of California suffered from a ransomware attack that demanded 118 in Bitcoin. The prize was originally set higher, but after a week-long negotiation between the hacking operation and the university’s negotiator, an agreement was reached. 

Image source: Shutterstock

Read More